[Integrit-devel] more integrit patches
Brought to you by:
ecashin
Menu
▾
▴
[Integrit-devel] more integrit patches
|
From: Yuri D'E. <wa...@yu...> - 2005-09-17 18:21:56
|
Here's some more changes I discussed with Ed against cvs head
(attached):
- Introduced the new "stop_on_err" directive in the configuration
file. When stop_on_err is 0, and a non-fatal failure is encountered
(like inability to perform a checksum or open a directory) integrit
will warn the user, but continue the process. The exit status will
still indicate the presence of an error. My statement for the need of
this option is:
"You cannot perform static analysis without this option on a
read-only media. You either need to remove the file that's causing
the problem or proceed manually."
Currently defaults to 1 (yes), which makes integrit behave like
the old versions.
- Disabling checksum for a file would still checksum the file during
update, contrarily to what the documentation says. This has been
fixed. Moreover, a race condition when comparing databases generated
by different rules (with/without checksums for the same files) was
fixed.
- Since updating and checking on same file is currently not supported
(I just got a crash), I added a little check that warns the user and
quits.
I saw "configure" got removed from cvs, but some more files need to
be removed consequently:
- config.h.in
- hashtbl/config.h.in
- hashtbl/configure
Just for completeness, README states:
The reason for this limitation is simple: there is no advantage to
using more than one algorithm. SHA-1 (Secure Hash Algorithm 1)
produces a 160-bit checksum. Since there are no known weaknesses in
SHA-1, to find a file with the same checksum as a given file on your
...
I agree with most parts of the text (one good checksum is
sufficient), but please note:
- Multiple checksums for a single files reduce the possibility that,
if a hole is found in one of the algorithms, the same method can be
used successfully against another algorithm. This is, of course,
unlikely, but there's enough ground to justify the need of more than
one algorithm.
- SHA-1 has been broken in 2/2005. We should investigate the newer
SHA variants.
Regards
|
